You’ve convinced management to do a BIA, and now it’s time to jump in. But, wait! A proper business impact analysis requires some preparation. You don’t jump into a body of water without looking at it first and changing into swim trunks or at least taking everything out of your pockets. Otherwise, you might hit a rock or damage the phone in your pocket. The same logic applies to a BIA. Preparing for a BIA is critical to its success.
Here, we’ll outline the prep work required to conduct a solid BIA; one that is worth your while and creates tangible results. In the following, we assume a basic understanding of the concept and components of the BIA.
Determine your strategy for the BIA
A typical BIA uses a more formal process consisting of interviewing stakeholders, scoring that uses impact categories to calculate an RTO, and reviewing and discussing dependencies, applications and RPOs. This can take significant time, but there are other options. In addition to the formal BIA you can perform:
- Informal BIA. This strategy uses quick and informal interviews where rather than spending time scoring impacts, participants engage in a discussion around the timing of when a process needs to be functional and why. You can include a discussion on applications needed and focus only on critical dependencies.
- Questionnaire. This strategy involves obtaining the necessary information using a questionnaire, following up as needed. Be sure to include all the information desired. We typically try to acquire information similar to that gathered in the informal interview.
- Hybrid. This strategy involves using both a formal and informal process for each department based on its criticality, last BIA performed, or recent organizational changes.
Determine your RTO and RPO
Before we dive into preparing for a BIA, we should have a quick reminder on the difference between the RTO and RPO. The RTO is the recovery time for a process or application; the RPO is the recovery point or maximum amount of data loss for an application that is acceptable.
Here are some things to keep in mind:
- Before performing the BIA, ensure that the RTO and RPO categories have been defined and approved by appropriate management.
- Ensure that those participating in the BIA understand the concept and values.
- Be careful not to define too many values for the RTO and RPO. Anything more than 6 takes time and does not really provide added value. From a recovery strategy perspective there is really no difference between < 12 hours and < 8 hours.
- It is the same for the data protection strategy; there is a difference between zero data loss and < 4-hour data loss, but not between < 8 and < 4 hours. Here is an example RTO and RPO categories:
Determine the Scoring Categories and Ranges
The following is an example of the scoring categories for a formal BIA. These can be modified or reduced for an informal or questionnaire.
For both quantitative and qualitative categories determine the score range (such as 1 – 4 or 1 – 5). Again, anything more does not add value. For the quantitative category determine the dollar range for each score. This will be different for each organization. It is often based on the revenue of the organization and how much it is willing to lose, then broken down relatively evenly across the score values
Determine the Departments and Participants
Ideally, you would include all the departments in the organization, but if time or budget is limited, it may make sense to identify only the most critical processes and departments. See above for a discussion of performing a formal or informal BIA depending on the need or criticality of departments.
Once you’ve selected the departments, identify the participants. Include both management and individual contributors, but do not try to include all individuals performing a process or in a department. Individuals participating need to be able to see the impact the process has across the organization.
Develop the Questionnaire or Pre-work Document
If you are using either a formal or informal BIA, you will still need to develop a questionnaire to use or a “pre-work” document for the departments to complete prior to the interview to help facilitate the discussion. Ensure that you have included an example of how to fill out either document, as well as the appropriate level of detail and information.
No matter what BIA strategy you use, preparing for a BIA is the key to making it efficient and effective. Something is better than nothing, so even an informal “back of the envelope” discussion on process RTO needs and applications required will get you the information necessary to develop a basic strategy and will provide IT with some information to start on the technology recovery strategy. You may still not have all the information you need, but this outline provides a guide on how to get started. Good luck on your BIA!
Need more help? Check out our guide to creating a functional BIA.
